Data Processing Agreement - Pure Subscriptions

================================================================================
                      DATA PROCESSING AGREEMENT (DPA)
                    Pure Subscriptions - Paystack Integration
================================================================================

Last Updated: October 17, 2025
Version: 1.0


1. INTRODUCTION
================================================================================

This Data Processing Agreement ("DPA") forms part of the Terms of Service 
between Pure Commerce (Pty) Ltd ("Processor", "we", "us") and the merchant 
installing the Pure Subscriptions app ("Merchant", "you", "Data Controller").

This DPA applies to the processing of Personal Data by the Processor on behalf 
of the Merchant in connection with the Pure Subscriptions service.


2. DEFINITIONS
================================================================================

Personal Data: Any information relating to an identified or identifiable 
natural person, including customer names, email addresses, phone numbers, 
physical addresses, and payment authorization data.

Processing: Any operation performed on Personal Data, including collection, 
storage, use, transmission, and deletion.

Data Subject: The Merchant's customers whose Personal Data is processed by the 
Processor.

Sub-processor: Any third party engaged by the Processor to process Personal 
Data on behalf of the Merchant.

GDPR: General Data Protection Regulation (EU) 2016/679

POPIA: Protection of Personal Information Act 4 of 2013 (South Africa)


3. SCOPE AND APPLICABILITY
================================================================================

Subject Matter
Processing of Personal Data necessary to provide subscription management and 
billing services through the Pure Subscriptions app.

Duration
This DPA remains in effect for as long as the Merchant uses the Pure 
Subscriptions service.

Nature and Purpose of Processing
  • Managing recurring subscriptions for Merchant's customers
  • Processing subscription payments via Paystack
  • Sending transactional notifications (order confirmations, payment receipts, 
    subscription updates)
  • Maintaining subscription history and analytics

Types of Personal Data
  • Contact information (name, email, phone number)
  • Shipping addresses
  • Payment authorization codes and tokens
  • Subscription preferences and history
  • Order transaction data

Categories of Data Subjects
The Merchant's customers who subscribe to products or services.


4. PROCESSOR'S OBLIGATIONS
================================================================================

LAWFUL PROCESSING

The Processor shall:
  • Process Personal Data only on documented instructions from the Merchant
  • Not process Personal Data for any purpose other than providing the Service
  • Ensure compliance with GDPR, POPIA, and other applicable data protection 
    laws

CONFIDENTIALITY

The Processor shall:
  • Ensure all personnel authorized to process Personal Data are bound by 
    confidentiality obligations
  • Limit access to Personal Data to personnel who require it to perform their 
    duties
  • Not disclose Personal Data to third parties without Merchant authorization, 
    except as required by law

SECURITY MEASURES

The Processor implements appropriate technical and organizational measures 
including:

Technical Measures:
  • Encryption of Personal Data at rest and in transit (TLS 1.3)
  • Secure password hashing (bcrypt)
  • Database access controls and authentication
  • Regular security updates and patches
  • Automated vulnerability scanning
  • Real-time error and security monitoring (Sentry)

Organizational Measures:
  • Security Incident Response Policy
  • Data Loss Prevention Strategy
  • Regular security audits and reviews
  • Employee security training
  • Access control and authorization procedures
  • Data retention and deletion policies

SUB-PROCESSORS

The Processor uses the following Sub-processors:

Sub-processor      Service                      Location    Purpose
--------------------------------------------------------------------------------
Heroku             Application hosting          USA         Hosting & database
(Salesforce)       and PostgreSQL database

Paystack           Payment processing           Nigeria     Payment authorization
                                                             and processing

Shopify            E-commerce platform          Canada      Customer and order
                                                             data sync

Google Cloud       Email delivery               USA         Transactional email
(Gmail API)                                                  delivery

Sentry             Error monitoring             USA         Application monitoring
                                                             and error tracking

The Merchant authorizes the Processor to engage these Sub-processors. The 
Processor shall:
  • Ensure Sub-processors are bound by data protection obligations equivalent 
    to this DPA
  • Remain fully liable for any Sub-processor's acts or omissions
  • Notify Merchant of any changes to Sub-processors with 30 days' notice
  • Allow Merchant to object to new Sub-processors

DATA SUBJECT RIGHTS

The Processor shall assist the Merchant in responding to Data Subject requests:

  • Access: Provide data exports within 48 hours of Merchant request
  • Rectification: Update or correct Personal Data as instructed by Merchant
  • Erasure: Delete customer data within 7 days of Merchant request
  • Portability: Export data in structured, machine-readable format (JSON)
  • Objection: Stop processing as instructed by Merchant

The Merchant is responsible for handling Data Subject requests directly. The 
Processor provides tools and support to facilitate compliance.

DATA BREACH NOTIFICATION

In the event of a Personal Data breach, the Processor shall:
  • Notify the Merchant without undue delay, within 24 hours of becoming aware
  • Provide detailed information including:
    - Nature and extent of the breach
    - Categories and approximate number of Data Subjects affected
    - Likely consequences of the breach
    - Measures taken or proposed to address the breach
  • Cooperate with the Merchant in breach investigation and remediation
  • Document all breaches and make records available to the Merchant

DATA PROTECTION IMPACT ASSESSMENTS

The Processor shall provide reasonable assistance to the Merchant in conducting 
Data Protection Impact Assessments (DPIAs) when required.

AUDITS AND INSPECTIONS

The Processor shall:
  • Make available all information necessary to demonstrate compliance with 
    this DPA
  • Allow for and contribute to audits by the Merchant or authorized third 
    parties
  • Provide audit reports and security certifications upon reasonable request
  • Respond to audit findings within 30 days


5. MERCHANT'S OBLIGATIONS
================================================================================

LAWFUL INSTRUCTIONS

The Merchant warrants that:
  • It has the legal right to provide customer Personal Data to the Processor
  • It has obtained all necessary consents from Data Subjects
  • Its instructions comply with GDPR, POPIA, and other applicable laws
  • It maintains its own Privacy Policy informing customers of data processing

DATA ACCURACY

The Merchant is responsible for:
  • Ensuring the accuracy of Personal Data provided
  • Updating or correcting inaccurate data
  • Handling Data Subject complaints and requests

LEGAL COMPLIANCE

The Merchant shall:
  • Comply with all applicable data protection laws as Data Controller
  • Notify customers about the use of the Pure Subscriptions service
  • Obtain necessary consents for data processing and communications
  • Maintain appropriate legal basis for processing (contract performance, 
    consent, legitimate interest)


6. DATA TRANSFERS
================================================================================

INTERNATIONAL TRANSFERS

Personal Data may be transferred to and processed in:
  • South Africa (primary data location)
  • United States (hosting via Heroku, email via Google, monitoring via Sentry)
  • Nigeria (payment processing via Paystack)
  • Canada (Shopify API integration)

TRANSFER SAFEGUARDS

For transfers outside South Africa and the EEA, the Processor relies on:
  • Standard Contractual Clauses (SCCs): EU-approved SCCs with Sub-processors
  • Adequacy Decisions: Where applicable (e.g., Canada for commercial data)
  • Processor Binding Corporate Rules: Where Sub-processors have implemented 
    BCRs
  • Necessary for Contract Performance: Transfers required to provide the 
    Service

DATA LOCALIZATION

  • Primary database: Heroku PostgreSQL (US region, encrypted at rest)
  • Backups: Automated daily backups, 7-day retention
  • Data residency requests: Available upon request for enterprise customers


7. DATA RETENTION AND DELETION
================================================================================

RETENTION PERIOD

Personal Data is retained for:
  • Active subscriptions: Duration of subscription plus 30 days
  • Cancelled subscriptions: 90 days after cancellation (for dispute 
    resolution)
  • Transaction records: 7 years (for tax and accounting compliance)
  • Anonymized analytics: Indefinitely (not considered Personal Data)

DATA DELETION

Upon termination of the Service or Merchant request, the Processor shall:
  • Delete or return all Personal Data within 30 days
  • Provide written certification of deletion upon request
  • Retain only data required by law (e.g., financial records)
  • Anonymize data used for analytics or service improvement

MERCHANT SELF-SERVICE DELETION

Merchants can delete customer data at any time through:
  • Customer deletion API endpoint
  • Admin dashboard bulk deletion tools
  • Individual subscription/customer deletion actions


8. LIABILITY AND INDEMNIFICATION
================================================================================

PROCESSOR LIABILITY

The Processor is liable for damages caused by:
  • Processing in violation of this DPA
  • Acting outside or contrary to lawful Merchant instructions
  • Failure to implement appropriate security measures

LIMITATION OF LIABILITY

The Processor's total liability under this DPA shall not exceed the fees paid 
by the Merchant in the 12 months preceding the claim.

Exceptions to limitation:
  • Gross negligence or willful misconduct
  • Data breaches caused by Processor's security failures
  • Violations of data protection laws due to Processor's actions

INDEMNIFICATION

Each party shall indemnify the other against:
  • Claims arising from its breach of this DPA
  • Fines or penalties imposed due to its non-compliance with data protection 
    laws
  • Third-party claims resulting from its unlawful processing


9. TERM AND TERMINATION
================================================================================

TERM

This DPA takes effect when the Merchant installs the Pure Subscriptions app 
and continues until termination of the Service.

TERMINATION

This DPA terminates automatically upon:
  • Merchant uninstalls the app
  • Termination of Terms of Service
  • Written notice by either party with 30 days' notice

EFFECTS OF TERMINATION

Upon termination:
  • Processor shall cease all processing of Personal Data
  • Processor shall delete or return Personal Data within 30 days
  • Processor may retain data required by law with restricted access
  • Security obligations continue for retained data


10. GOVERNING LAW AND DISPUTE RESOLUTION
================================================================================

GOVERNING LAW

This DPA is governed by the laws of South Africa.

REGULATORY AUTHORITY

Data Subjects in the EU may lodge complaints with their local supervisory 
authority.

Data Subjects in South Africa may lodge complaints with the Information 
Regulator.

DISPUTE RESOLUTION

Disputes shall be resolved through:
  1. Good faith negotiations (30 days)
  2. Mediation by mutually agreed mediator (60 days)
  3. Arbitration or courts of South Africa


11. UPDATES AND AMENDMENTS
================================================================================

DPA UPDATES

The Processor may update this DPA to:
  • Reflect changes in data protection laws
  • Improve security measures
  • Add or remove Sub-processors
  • Clarify existing terms

NOTIFICATION

Material changes require 30 days' advance notice via:
  • Email to Merchant's registered address
  • In-app notification
  • Updated version posted with change log

MERCHANT OBJECTION

If Merchant objects to material changes:
  • Merchant may terminate the Service within 30 days
  • No termination fees apply for objection-based termination
  • Data deletion obligations apply upon termination


12. ADDITIONAL RIGHTS FOR EEA AND UK MERCHANTS
================================================================================

For Merchants established in the EEA or UK:
  • Standard Contractual Clauses: Incorporated by reference (EU SCCs Module 2)
  • UK Addendum: Applies for UK merchants (International Data Transfer 
    Addendum)
  • Supervisory Authority: ICO (UK) or local DPA (EEA)
  • GDPR Chapter V compliance: All transfers comply with GDPR requirements


13. CONTACT INFORMATION
================================================================================

Data Protection Officer
Pure Commerce (Pty) Ltd
Email: privacy@purecommerce.co.za

For data protection inquiries, requests, or breach notifications, contact our 
DPO at the above email address.

Response times:
  • Data Subject access requests: 48 hours
  • Data breach notifications: 24 hours
  • General inquiries: 5 business days


14. ACCEPTANCE
================================================================================

By installing and using the Pure Subscriptions app, the Merchant acknowledges:
  • It has read and understands this DPA
  • It agrees to be bound by the terms of this DPA
  • It authorizes the Processor to process Personal Data as described herein
  • It will comply with its obligations as Data Controller

This DPA forms an integral part of the Terms of Service and cannot be modified 
except in writing by authorized representatives of both parties.


================================================================================
APPENDIX A: SECURITY MEASURES DETAIL
================================================================================

ENCRYPTION

  • Data in transit: TLS 1.3 with modern cipher suites
  • Data at rest: AES-256 encryption on Heroku PostgreSQL
  • Payment tokens: Never stored in plain text, encrypted with Paystack keys
  • Sensitive fields: Application-level encryption for authorization codes

ACCESS CONTROL

  • Authentication: Shopify OAuth 2.0 for merchant access
  • Authorization: Role-based access control (RBAC)
  • Session management: Secure session tokens, automatic timeout
  • Admin access: Multi-factor authentication required
  • Database access: IP whitelist, encrypted connections only

MONITORING AND LOGGING

  • Error tracking: Sentry with PII sanitization
  • Security events: Automated detection of suspicious activity
  • Audit logs: All data access and modifications logged
  • Real-time alerts: Immediate notification of security events
  • Log retention: 90 days (access logs), 1 year (security events)

BACKUP AND RECOVERY

  • Automated backups: Daily PostgreSQL backups
  • Backup encryption: All backups encrypted at rest
  • Backup retention: 7 days rolling retention
  • Recovery testing: Quarterly recovery drills
  • RPO/RTO: 24 hours / 4 hours for critical data

VULNERABILITY MANAGEMENT

  • Dependency scanning: Automated npm audit
  • Security updates: Applied within 48 hours for critical vulnerabilities
  • Penetration testing: Annual third-party security assessment
  • Code review: Security-focused code reviews for all changes


================================================================================
APPENDIX B: SUB-PROCESSOR DETAILS
================================================================================

HEROKU (SALESFORCE)

Service: Application hosting and PostgreSQL database
Location: United States (US East region)
Data Protection: SOC 2 Type II, ISO 27001, GDPR-compliant
Agreement: Heroku Data Processing Agreement
Contact: https://www.heroku.com/policy/security

PAYSTACK

Service: Payment authorization and processing
Location: Nigeria
Data Protection: PCI DSS Level 1, NDPR-compliant
Agreement: Paystack Privacy Policy and Terms
Contact: privacy@paystack.com

SHOPIFY

Service: E-commerce platform, customer and order data sync
Location: Canada
Data Protection: SOC 2 Type II, ISO 27001, GDPR-compliant
Agreement: Shopify App Developer Agreement
Contact: https://www.shopify.com/legal/dpa

GOOGLE CLOUD PLATFORM (GMAIL API)

Service: Transactional email delivery
Location: United States
Data Protection: SOC 2 Type II, ISO 27001, GDPR-compliant
Agreement: Google Cloud Data Processing Addendum
Contact: https://cloud.google.com/terms/data-processing-addendum

SENTRY

Service: Error monitoring and application performance
Location: United States
Data Protection: SOC 2 Type II, GDPR-compliant
Agreement: Sentry Data Processing Addendum
Contact: https://sentry.io/legal/dpa/


================================================================================

Pure Commerce (Pty) Ltd
Data Processing Agreement v1.0
Effective: October 17, 2025
Next Review: April 17, 2026

================================================================================
                    Pure Commerce - Pure Subscriptions
              Email: privacy@purecommerce.co.za
================================================================================